On Jan 14, 2010, at 7:39 PM, Richard L. Barnes wrote:
As such, I can't see how *not* requiring SSL for unsigned requests
could pass muster at an IETF security review.
Speaking as someone who does IETF security reviews ... :)
If I were reviewing a document that defines an optional
The points about matching security to use case are excellent. This is why I
think we're maybe misinterpreting Eran's argument for MUST. It's not an
argument from security alone (we must always have highest security all the
time); it's an argument from interoperability of security features at
AM
To: Eve Maler
Cc: OAuth WG
Subject: Re: [OAUTH-WG] Allowing Secrets in the Clear Over Insecure
Channels
+1 to MUST implement TLS on both sides.
I thought we were only discussing whether the server could decide to
skip TLS for a particular use case. No?
On Friday, January 15, 2010, Eve
-boun...@ietf.org] On Behalf Of
John Panzer
Sent: Friday, January 15, 2010 8:43 AM
To: Eve Maler
Cc: OAuth WG
Subject: Re: [OAUTH-WG] Allowing Secrets in the Clear Over Insecure
Channels
+1 to MUST implement TLS on both sides.
I thought we were only discussing whether the server could decide
] Allowing Secrets in the Clear Over Insecure
Channels
+1 to MUST implement TLS on both sides.
I thought we were only discussing whether the server could decide to
skip TLS for a particular use case. No?
On Friday, January 15, 2010, Eve Maler e...@xmlgrrl.com wrote:
The points about matching
On Fri, 2010-01-15 at 14:41 -0700, Eran Hammer-Lahav wrote:
On 1/15/10 7:58 AM, John Kemp j...@jkemp.net wrote:
When I look at what is possible in the offline world, I would ask - would
you
require that movie theatre tickets bought in advance were encrypted in
transport between the
On Wed, 2010-01-13 at 23:05 -0700, Eran Hammer-Lahav wrote:
Authentication Open Question #3: Should require using TLS/SSL/secure channel
for any request made without a signature?
WRAP got a lot of attention (mostly negative) to how it sends requests
without using signatures or a secure
Actually, this makes a lot of sense. I believe that such URLs can be
made sufficiently secure by signing with a key bootstrapped from the
password (something like PAK or EKE). But they ought to remain secret,
which is pretty impossible to ensure, or they must be made unreusable
by anyone
Doesn't the fact that this approach has clearly failed for HTTP Basic act as
a warning sign? 2617 clearly states the problems in using Basic over
insecure channels, and yet, given its simplicity, it is one of the most
widely used and abused protocol around.
I think this is a case where security
On Wed, Jan 13, 2010 at 10:05 PM, Eran Hammer-Lahav e...@hueniverse.com wrote:
Authentication Open Question #3: Should require using TLS/SSL/secure channel
for any request made without a signature?
Yes. Either TLS/SSL should be used or their should be an appropriate
signature. I'll leave
10 matches
Mail list logo